Description
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the exec function of the Rapids setproperty primitive handler in h2oAI's h2o-3 engine. It allows an attacker to manipulate property-setting behavior, bypassing the intended access controls. This can enable unauthorized modification of system properties or configuration, potentially leading to unauthorized actions or privilege escalation.

Affected Systems

Vendor h2oAI and product h2o-3 are affected. Any instance of h2o-3 with a version equal to or less than 7402 is vulnerable. No additional versions are specified.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. No EPSS score is available and the issue is not listed in CISA KEV. The attack can be carried out remotely and public exploits exist. In environments exposed to untrusted networks the risk is higher, as an attacker could alter properties to gain elevated privileges or compromise system integrity.

Generated by OpenCVE AI on May 17, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version newer than 7402 as soon as it becomes available.
  • Restrict inbound access to the h2o‑3 service from untrusted networks using firewall rules or network segmentation.
  • Implement strict validation of property keys and values, and monitor logs for abnormal SetProperty usage.

Generated by OpenCVE AI on May 17, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control
First Time appeared H2oai
H2oai h2o-3
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:h2oai:h2o-3:*:*:*:*:*:*:*:*
Vendors & Products H2oai
H2oai h2o-3
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

H2oai H2o-3
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T11:45:11.583Z

Reserved: 2026-05-16T16:20:47.483Z

Link: CVE-2026-8752

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T12:16:43.330

Modified: 2026-05-17T12:16:43.330

Link: CVE-2026-8752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T13:45:02Z

Weaknesses